Another privacy issue has been discovered in Google Drive which could have led sensitive and personal information stored on the cloud service exposed to unauthorized parties.
The security flaw has now patched by Google, but its discovery indicates that the vulnerability of cloud data when accessed via a link can allow “anyone who has the link” to access your private data without any further authentication.
HOW THE SECURITY FLAW WORKS
The security hole addressed a risk to files that included a clickable URL on your cloud file sharing service.
When someone opens the file and clicks on an embedded hyperlink, then they get sent to the website of a third-party website owner.
Upon accessing this URL, unfortunately the external Internet user – an unauthorized party – could potentially access your sensitive information by accessing the original documents that included the URL.
Google explained the actual nature of the security flaw in a blog post published last week. The company said that the flaw only affected a “small subset of file types” in Google Drive.
The security issue is relevant only if all four of these conditions apply:
- The file was uploaded to Google Drive
- The file was not converted to Docs, Sheets, or Slides (i.e., remained in its original format such as .pdf, .docx, etc.)
- The owner changed sharing settings so that the document was available to “anyone with the link”
- The file contained hyperlinks to third-party HTTPS websites in its content
If all the above mentioned conditions applied, a user who clicked on the embedded hyperlink could have inadvertently sent header information to the administrator of the third-party websites, allowing him or her to potentially see the URL of the original document that linked to his or her site.
But Google assured its users that the newly shared documents with hyperlinks to third-party HTTPS websites, will not inadvertently relay the original document’s URL.
HOW TO PROTECT YOURSELF
At the same time, If you’ve got any of yours previously shared documents that match any of those above four criteria, Google says you can generate a new and safe sharing link by following just three simple steps:
- Create a copy of the document, via File > “Make a copy…”
- Share the copy of the document with particular people or via a new shareable link, via the “Share” button
- Delete the original document
The security flaw is similar to Dropbox hyperlink disclosure vulnerability discovered earlier this year by Intralinks. The hyperlink disclosure vulnerability in the Dropbox led to the exposure of personal documents and all sorts of stuff such as such as tax returns, bank records, mortgage applications, blueprints, and business plans, stored in Dropbox that you would not want to disclose.
Quelle: The Hacker News